Archive for July, 2010

Adobe’s popular PDF viewer, Adobe Reader, always attracts large amount of hackers who try to exploit its vulnerabilities. Some reports found that Adobe Reader is at the top list for having the most exploits for web-based attacks. Now, the company wants to “turning to sandboxing technology designed to isolate code from other parts of the computer.” A “protected mode” will be added to the Adobe Reader for Windows which will be enabled by default and release later this year. Because of minor attack against Macintosh system, there is no plan to implement this feature to Mac OS yet.

Several changes will be made due to sandbox mechanism. The PDF processing will be confined, such as executing JavaScript, parsing JPEG image etc. Application running in the Adobe Reader will not be able to communicate with the operating system any more. “This is an additional layer of defense that will help protect users in case they encounter a malicious or corrupted PDF.” said Brad Arkin, the director of product security and privacy of Adobe. The new feature could limit the number of exploits, but not all of them. Some attacks like phishing and weak cryptography still exist.

Some experts believe that Sandbox can not prevent code execution vulnerability, but it makes attacks much hard to success. With Sandbox, the attackers need to find vulnerability in both programs, Reader and Sandbox.

On July 16, Microsoft released Security Advisory 2286198 confirmed the Windows shortcut flaw that exposes all windows user of all current versions of Windows system to very serious attacks, including fully patched Windows 7 system.

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities. Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

A new OS called REMnux has been released from Lenny Zeltser, a security expert specializing on malware reverse engineering. REMnux is a lightweight version of Ubuntu originally distributed as a VMware virtual appliance, which can be booted via several VMware products or through X-Windows. The OS was also recently released as an ISO image of a Live CD.

The classical approach to analyze malware is to set up a virtual machine on a computer specifically designed for that purpose and then release the malware and monitor how it affects the system. The drawback of this protocol is that much of the malware’s behavior can remain hidden, while deeper analysis is not a convenient option.

REMnux comes as a solution to these disadvantages and offers an alternative approach for taking apart a malicious code. Typically, infection of another laboratory system with the malware sample is followed by direction of the potentially-malicious connections to the REMnux “monitoring” ports.

This approach combines a generous number of popular malware-analysis, reverse-engineering, network monitoring, and memory forensic tools. Amongst them, REMnux contains three tools for analyzing Flash-specific malware, namely SWF tools, Flasm, and Flare. Furthermore, it contains several applications for analyzing malicious PDFs, such as the Didier Steven’s analysis tools. The OS also provides a lot of tools for de-obfucating JavaScript, including Rhino debugger, a NoScript-version of Firefox, JavaScript Deobfuscator and Firebug, and Windows Script Decoder. In addition to the above analysis tools, a small Web server, an IRC server, and a pseudo-DNS server are also included. Further, several tools for network monitoring and interactions, such as the virtual honeypot server, HoneyD, as well as Wireshark, INetSim, fakedns and fakesmtp scripts, and NetCat are also part of REMnux.

Behind the development of REMnux stands the idea of providing a useful set of tools for people interested in the field, rather than a be-all reverse-engineering environment. As Zeltser himself puts it: “This doesn’t have every tool in it, because I think people can get distracted with too many tools in there”. On the contrary, Zeltser states that this OS targets beginners or people that are not Linux experts. He also hopes that users’ input and comments will aid in further development of REMnux to reach an improved version of the OS.

Any interested and adventurous potential developers, who would like to contribute to the improvement of REMnux, are welcomed to contact Lenny Zelter directly.